Skip to content

Commit a6501f4

Browse files
justin-stephensonjustin-stephenson
committed
IPA: Support ID override templates
Retrieve ID override templates on subdomain initialization. When overrides are checked during IPA lookups, check for fallback template values. :relnote: SSSD now checks for existence of ID override templates in an IPA provider configuration. ID override templates supports overriding loginShell and homeDirectory values for trusted AD, or upcoming IPA-IPA trusted users. This behavior is enabled by default.
1 parent 9f171a3 commit a6501f4

File tree

5 files changed

+387
-9
lines changed

5 files changed

+387
-9
lines changed

src/providers/ipa/ipa_common.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,8 @@ struct ipa_id_ctx {
210210
char *view_name;
211211
/* Only used with server mode */
212212
struct ipa_server_mode_ctx *server_mode;
213+
const char *global_template_homedir;
214+
const char *global_template_shell;
213215
};
214216

215217
struct ipa_options {

src/providers/ipa/ipa_id.c

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -372,13 +372,34 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
372372

373373
if (is_default_view(state->ipa_ctx->view_name)) {
374374
ret = sysdb_apply_default_override(state->user_dom, override_attrs,
375+
state->ipa_ctx->global_template_homedir,
376+
state->ipa_ctx->global_template_shell,
375377
state->groups[state->group_idx]->dn);
376378
} else {
377379
ret = sysdb_store_override(state->user_dom,
378380
state->ipa_ctx->view_name,
379381
SYSDB_MEMBER_GROUP,
380382
override_attrs,
381383
state->groups[state->group_idx]->dn);
384+
if (ret != EOK) {
385+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
386+
tevent_req_error(req, ret);
387+
return;
388+
}
389+
390+
/* Individual user ID override should supersede template values,
391+
* Don't add template values if normal ID override is found */
392+
ret = sysdb_store_override_template(state->user_dom,
393+
override_attrs,
394+
state->ipa_ctx->global_template_homedir,
395+
state->ipa_ctx->global_template_shell,
396+
state->ipa_ctx->view_name,
397+
state->groups[state->group_idx]->dn);
398+
if (ret != EOK) {
399+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
400+
tevent_req_error(req, ret);
401+
return;
402+
}
382403
}
383404
talloc_free(override_attrs);
384405
if (ret != EOK) {
@@ -924,13 +945,25 @@ static int ipa_id_get_account_info_post_proc_step(struct tevent_req *req)
924945
type = SYSDB_MEMBER_GROUP;
925946
}
926947

927-
ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,
948+
ret = sysdb_store_override(state->domain,
949+
state->ipa_ctx->view_name,
928950
type,
929951
state->override_attrs, state->obj_msg->dn);
930952
if (ret != EOK) {
931953
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
932954
goto done;
933955
}
956+
957+
ret = sysdb_store_override_template(state->domain,
958+
state->override_attrs,
959+
state->ipa_ctx->global_template_homedir,
960+
state->ipa_ctx->global_template_shell,
961+
state->ipa_ctx->view_name,
962+
state->obj_msg->dn);
963+
if (ret != EOK) {
964+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
965+
goto done;
966+
}
934967
}
935968

936969
if (state->ghosts != NULL) {
@@ -1009,14 +1042,28 @@ static void ipa_id_get_account_info_done(struct tevent_req *subreq)
10091042
type = SYSDB_MEMBER_GROUP;
10101043
}
10111044

1012-
ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,
1045+
ret = sysdb_store_override(state->domain,
1046+
state->ipa_ctx->view_name,
10131047
type,
10141048
state->override_attrs, state->obj_msg->dn);
10151049
if (ret != EOK) {
10161050
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
10171051
goto fail;
10181052
}
10191053

1054+
/* Individual user ID override should supersede template values,
1055+
* Don't add template values if normal ID override is found */
1056+
ret = sysdb_store_override_template(state->domain,
1057+
state->override_attrs,
1058+
state->ipa_ctx->global_template_homedir,
1059+
state->ipa_ctx->global_template_shell,
1060+
state->ipa_ctx->view_name,
1061+
state->obj_msg->dn);
1062+
if (ret != EOK) {
1063+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
1064+
goto fail;
1065+
}
1066+
10201067
if (state->ghosts != NULL) {
10211068
/* Resolve ghost members */
10221069
subreq = ipa_resolve_user_list_send(state, state->ev,

src/providers/ipa/ipa_s2n_exop.c

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -946,6 +946,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
946946
struct req_input *req_input,
947947
struct resp_attrs *attrs,
948948
struct resp_attrs *simple_attrs,
949+
struct ipa_id_ctx *ipa_ctx,
949950
const char *view_name,
950951
struct sysdb_attrs *override_attrs,
951952
struct sysdb_attrs *mapped_attrs,
@@ -1611,7 +1612,7 @@ static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req)
16111612
struct ipa_s2n_get_list_state);
16121613

16131614
ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs,
1614-
NULL, state->ipa_ctx->view_name,
1615+
NULL, state->ipa_ctx, state->ipa_ctx->view_name,
16151616
state->override_attrs, state->mapped_attrs,
16161617
false);
16171618
if (ret != EOK) {
@@ -2322,7 +2323,8 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
23222323

23232324
if (ret == ENOENT || is_default_view(state->ipa_ctx->view_name)) {
23242325
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
2325-
state->simple_attrs, NULL, NULL, NULL, true);
2326+
state->simple_attrs, state->ipa_ctx,
2327+
NULL, NULL, NULL, true);
23262328
if (ret != EOK) {
23272329
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
23282330
goto done;
@@ -2475,6 +2477,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
24752477
struct req_input *req_input,
24762478
struct resp_attrs *attrs,
24772479
struct resp_attrs *simple_attrs,
2480+
struct ipa_id_ctx *ipa_ctx,
24782481
const char *view_name,
24792482
struct sysdb_attrs *override_attrs,
24802483
struct sysdb_attrs *mapped_attrs,
@@ -2905,12 +2908,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
29052908
/* For the default view the data return by the extdom plugin already
29062909
* contains all needed data and it is not expected to have a separate
29072910
* override object. */
2908-
ret = sysdb_store_override(dom, view_name, type, override_attrs,
2909-
res->msgs[0]->dn);
2911+
ret = sysdb_store_override(dom,
2912+
view_name,
2913+
type,
2914+
override_attrs, res->msgs[0]->dn);
29102915
if (ret != EOK) {
29112916
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
29122917
goto done;
29132918
}
2919+
2920+
/* Individual user ID override should supersede template values,
2921+
* Don't add template values if normal ID override is found */
2922+
ret = sysdb_store_override_template(dom,
2923+
override_attrs,
2924+
ipa_ctx->global_template_homedir,
2925+
ipa_ctx->global_template_shell,
2926+
ipa_ctx->view_name,
2927+
res->msgs[0]->dn);
2928+
if (ret != EOK) {
2929+
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override_template failed.\n");
2930+
goto done;
2931+
}
29142932
}
29152933

29162934
done:
@@ -2958,7 +2976,8 @@ static void ipa_s2n_get_list_done(struct tevent_req *subreq)
29582976
&sid_str);
29592977
if (ret == ENOENT) {
29602978
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
2961-
state->simple_attrs, NULL, NULL, NULL, true);
2979+
state->simple_attrs, state->ipa_ctx,
2980+
NULL, NULL, NULL, true);
29622981
if (ret != EOK) {
29632982
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
29642983
goto fail;
@@ -2995,6 +3014,7 @@ static void ipa_s2n_get_list_done(struct tevent_req *subreq)
29953014
} else {
29963015
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
29973016
state->simple_attrs,
3017+
state->ipa_ctx,
29983018
state->ipa_ctx->view_name,
29993019
state->override_attrs, NULL, true);
30003020
if (ret != EOK) {
@@ -3031,7 +3051,8 @@ static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq)
30313051
}
30323052

30333053
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
3034-
state->simple_attrs, state->ipa_ctx->view_name,
3054+
state->simple_attrs, state->ipa_ctx,
3055+
state->ipa_ctx->view_name,
30353056
override_attrs, NULL, true);
30363057
if (ret != EOK) {
30373058
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");

0 commit comments

Comments
 (0)